WhiteMail
WhiteMail

AI email security that judges by context

Connect a mailbox and WhiteHat orchestrates seven specialist agents to inspect every message in real time — judging threats by intent and context, not known patterns.

7 detection layersExplainable verdictsEnglish-first (en-first)Data sovereignty · cloud or on-prem
[Urgent] Wire approval needed — Summit project
M
CFO Marcus Thorne <cfo@summit-finance.co>
To: Finance team

Please wire to the new account below by end of day.

It is contract-confidential — do not share or call to verify.

📎 Invoice_49916.pdf
WhiteMail investigationInvestigating…
  1. ·
    SA-01 Identity

    Display name is an exec but the domain is unrelated · Reply-To mismatch

  2. ·
    SA-02 Infrastructure

    SPF/DMARC fail · new look-alike domain (summit-finance.co)

  3. ·
    SA-03 Links & visual

    Links to a fake Microsoft 365 login page

  4. ·
    SA-04 Intent

    Urgent wire + secrecy pressure — BEC pattern

BLOCKBECImpersonation + urgent wire · risk 0.96
Threat landscape

Today's most dangerous emails don't look malicious

BEC, AI-generated phishing, quishing, supply-chain account takeover (VEC) — no attachment, no known signature. Rule- and reputation-based gateways miss them because they can't read context.

Business Email Compromise (BEC)Social-engineering fraud impersonating execs/vendors to trigger wires or data leaks — often with no link or attachment.Learn more

Impersonates execs or vendors to push urgent wires and account changes.

AI-generated phishingA deceptive message impersonating a trusted party to steal credentials, money, or sensitive data.Learn more

Flawless, polished lures that harvest credentials.

Quishing (QR phishing)Phishing that hides a malicious link behind a QR code to bypass URL filters.Learn more

Hides malicious links behind a QR code to slip past filters.

Vendor account takeover (VEC)A supply-chain BEC where a trusted vendor's account is hijacked to swap payment details on invoices.Learn more

A trusted vendor's account is hijacked and payment details are swapped.

Detection approach

Beyond rules — to context

Two ways to stop email threats — and why WhiteMail combines both.

Rule-based

Fixed rules block known patterns fast and precisely — but miss novel variants and clever mutations not in the ruleset.

AI · context

Like a person reading email, it understands intent and context to tell legitimate mail from threats even when no rule matches.

Known threats by rules, unknown by AI. WhiteMail combines deterministic rules with a self-hosted sLLM so neither blind spot is left open.

Pipeline

Connect → Analyze → Decide → Respond

A four-stage pipeline that finishes the moment mail arrives

01
1. Connect a mailbox

IMAP, Gmail, Outlook in five minutes — no MX change required.

02
2. Seven agents analyze

Identity, infrastructure, links, intent, behavior, attachments — in parallel.

03
3. Context-based verdict

Weighted aggregation, cross-agent correlation, and org policy decide allow/flag/block.

04
4. Respond & trace

Quarantine/release, org-wide audit, and step-by-step rationale in the console.

Seven specialist agents

Spam, phishing, BEC, impersonation, attachments — one engine, no blind spots.

SA-01
Identity

Detects display-name, Reply-To and Return-Path mismatches and impersonation.

SA-02
Infrastructure

Checks SPF/DKIM/DMARC, new and look-alike domains, and abused TLDs.

SA-03
Links & Visual

Catches URL mismatches, shorteners, redirects, IP URLs and QR lures.

SA-04
Intent

Reads malicious intent: urgent transfers, account changes, credential theft.

SA-05
Behavior

Judges the relationship: first contact, repeat offenders, vendor-payment pivots (VEC).

SA-06
Attachments

Flags executables, deceptive double extensions, macro-enabled docs and HTML files.

SA-07
Reputation

Enriches with external IP/domain/URL reputation and domain registration age (WHOIS) to catch newly-registered and known-malicious infrastructure.

+
Your custom agent

Add your own domain-specific agent — no core changes needed.

SA-01
Identity

Detects display-name, Reply-To and Return-Path mismatches and impersonation.

SA-02
Infrastructure

Checks SPF/DKIM/DMARC, new and look-alike domains, and abused TLDs.

SA-03
Links & Visual

Catches URL mismatches, shorteners, redirects, IP URLs and QR lures.

SA-04
Intent

Reads malicious intent: urgent transfers, account changes, credential theft.

SA-05
Behavior

Judges the relationship: first contact, repeat offenders, vendor-payment pivots (VEC).

SA-06
Attachments

Flags executables, deceptive double extensions, macro-enabled docs and HTML files.

SA-07
Reputation

Enriches with external IP/domain/URL reputation and domain registration age (WHOIS) to catch newly-registered and known-malicious infrastructure.

+
Your custom agent

Add your own domain-specific agent — no core changes needed.

Autonomous response

It doesn't stop at detection — autonomous response

The work is what happens after the verdict. WhiteMail automates report handling, quarantine, employee guidance, and reporting — so it lifts the load off your analysts.

Auto-triaged abuse mailbox

When an employee reports a suspicious email it's analyzed, classified (threat / safe), and auto-closed instantly — it never piles up in an analyst queue.

Auto quarantine & release

Blocked mail is pulled from the inbox automatically; false positives are released in one click. Monitor mode reports only and never touches the mailbox.

Instant employee guidance

Explains why a message is risky in plain language any employee can act on — before they click.

Runs alongside your gateway

Connects post-delivery over API with no MX change — augments or displaces your existing Secure Email Gateway (SEG).

Why WhiteMail

Why WhiteMail

Explainable verdicts

Every decision is traceable to per-agent scores, signals, and escalation. Not a black box.

Data sovereignty

Runs in the cloud or fully on-prem; with a self-hosted sLLM, message content never leaves your perimeter.

English-first

English UI, signals, and verdict rationale throughout — detection covers global BEC, phishing, and impersonation.

Enterprise integration

IMAP/Gmail/Outlook, real-time push, and SIEM/SOAR export.

Multi-tenant

Per-org policy, dashboards, and roles — up to MSSP operation.

Cost-optimized LLM

Rules filter first; only ambiguous mail hits the model — costs stay controlled.

Deployment

Deploy to match how you operate

Start with non-disruptive monitoring, then switch to inline blocking when you're ready.

API integration (ICES)

Scan post-delivery via API and claw back malicious mail. Five-minute deploy, zero disruption.

Monitoring (journaling)

Receive a copy and report threats — prove value with no impact on mail flow.

Inline blocking

Block before the inbox via connector or gateway.

SIEM / SOAR

Stream every verdict to Splunk or Sentinel for automated response.

About us

We build email security that judges by context.

WhiteHat builds a security engine that understands a sender's intent and relationships the way a person reads email. Seven specialist agents collaborate to catch the targeted threats — BEC, AI phishing, quishing, supply-chain account takeover — that signature- and reputation-based tools miss. We design English-first, with data sovereignty in mind, and run the same engine in the cloud or fully on-prem.

Mission

Protect digital trust — so threats can never deceive people.

Approach

Context over patterns — explainable verdicts.

Principle

Customer data stays the customer's. Sovereign by design.

Protect your inbox in a minute

Start with no credit card. Try it instantly with the demo organization.

Get started free